SANS ISC InfoSec Forums

Secunia (http://secunia.com/advisories/22542/ is reporting a new Microsoft Internet Explorer (MSIE) 7.0 vulnerability. This vulnerability allows a malicious site to spoof the content of the address bar. Instead of the actual URL, the user will see a "fake" URL. We tested the vulnerability and found it to work quite well. As a quick workaround you may want to configure MSIE 7.0 to open new windows in a new tab. In order to do this, Tools -> Internet Options -> Tabs Settings -> When a pop-up is encountered: Always open pop-ups in a new tab.

(click image for full size)

The PoC exploit by Secunia is pushing the real URL off the screen to the left by adding multiple '%A0' characters between the real URL and the string 'www.microsoft.com'. It appears that the new window will only show right-most part of the URL. For tabs, the left most part is shown.

This vulnerability has a lot of potential for phishers or others that attempt to trick the user into trusting the popup window as they trust the site displayed in the main window.

Update:

Jeroen writes in to tell us:

"By default, Safari doesn't show the address bar in a popup ... so this trick will probably also work for Safari users since the popup window has the title 'Microsoft Corporation'. If you choose to display the address bar, it displays the correct URL (secunia).

Thanks Jeroen.-Chris

UPDATE 2:

We received a lot of reports from our readers suggesting that Firefox and some other browsers are vulnerable to this exploit as well.

In case of this vulnerability, it is not easy to say if a browser is vulnerable or not ? we're not talking about exploiting a remote execution so it either works or it doesn't work. In this case, an attacker is actually trying to make the user believe that he's on a different site, and that can be, unfortunately, done using this vulnerability on almost all browsers.

If you try the test on Secunia's web page with other browsers, you will see different results, shown below.

Firefox (both 1.5.x and 2.0 versions) will open a new pop-up window completely without the address bar, so it's irrelevant what the JavaScript code attempts to do. The good thing about Firefox is that it will show the real site you connected to in the window title bar, as shown in the screen shot below. This is why the exploit does not work in Firefox as it should, but of course ? a user can still be fooled with this if they don't check the window title bar:

Opera is also not vulnerable to this exploit, but the pop-up window looks a bit different. You can see that it prints the real site name below the window title, but again, a user might miss this: